[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with End Point Reference

Rosa Sanchez Guerrero wrote:
> Dear Sirs,
>  I am a student at the University Carlos III of Madrid and my name is Rosa
> Sanchez Guerrero.
> I am working with identity management using the SAML protocol. We need a
> web
> service provider (WSF) and an identity provider (IdP).
> To implement the role of provider of web services, we decided to use your
> tool ZXID and to implement the role of identity provider using the form of
> Authentic Lasso to recommend in the documentation. The identity provider
> is
> working correctly, and we are trying WSF file zxidhlowsf.c. When we put in
> the web browser https: / / sp1.zxidsp.org: 8443/zxidhlo and try to login,
> it
> connects with the IdP authenticates the user, but when it happens ZXID
> redirection to an internal error in the server. This error occurs in the
> function zxid_find_epr, which is on file zxidepr.c. This function returns
> the End Point Reference null value because in / zxid / ses / SESID not
> created the file SVC, SHA1.

Without seeing the specific log messages I do not know exactly what
is happening. You should also let me know which version of zxid you
are using (latest is 0.32).

> Consult the documentation we have seen that this information is sought
> through a discovery server (DS) or via an assertion in the SSO. However,
> we
> suspect that the server is required and this discovery is commercial. I
> could say some indication of what may be happening (for example, if it is
> necessary for the IdP metadata display something on the End Point
> Reference
> or something similar ...).

In your scenario you presumably want the EPR of the WSP. The WSC can
find this out in two ways:

1. it could have been passed as "bootstrap"
   attribute in the SAML SSO assertion; or
2. it can be discovered from the discovery service, however to discover
   the IdP must have passed a discovery bootstrap attribute containing
   the EPR of the discovery service and the Discovery Service
   must be running.

So I suspect the Lasso IdP is not passing a bootstrap attribute
of either variant.

While ZXID fully implements discovery client, I do ot yet have
Discovery Server implmentation, though this is being worked on
as part of zxid IdP implemetation. Only open source discovery
service implementation I am aware of is by Conor Cahill
but his implmentation is not very well integrated to any SSO IdP.

Other alternative, as you say, is to use a commercial discovery
server implmentation. For example symlabs.com offers free
evaluation version.

What is your timeline for getting the Discovery in place?


> I look forward to hearing from you and* *I aprecciate your attention, warm
> regards.